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RESPONSE PROCEDURES FOR DATA SUBJECT REQUESTS UNDER GDPR 


1. 


1.1 


1.2 


1.3 


2.1 


2.2 


About these procedures 


Data subjects have certain rights in respect of their personal data. When we process data subjects’ 
personal data, we shall respect those rights. These procedures provide a framework for responding to 
requests to exercise those rights. It is our policy to ensure that requests by data subjects covered by 
these procedures to exercise their rights in respect of their personal data are handled in accordance 
with applicable law. 


For the purposes of these procedures, "personal data" means any information relating to an identified 
or identifiable data subject. An identifiable data subject is anyone who can be identified, directly or 
indirectly, by reference to an identifier, such as a name, identification number or online identifier. 
"Processing" means any operation or set of operations that is performed on personal data, such as 
collection, use, storage, dissemination and destruction. 


These procedures only apply to data subjects whose personal data we process. 


Responding to requests to access personal data 


Data subjects have the right to request access to their personal data processed by us. Such requests 
are called subject access requests (SARs). When a data subject makes an SAR we shall take the 
following steps: 


(a) log the date on which the request was received (to ensure that the relevant timeframe of one 
month for responding to the request is met); 


(b) confirm the identity of the data subject who is the subject of the personal data. For example, 
we may request additional information from the data subject to confirm their identity; 


(c) search databases, systems, applications and other places where the personal data which 
are the subject of the request may be held; and 


(d) confirm to the data subject whether or not personal data of the data subject making the SAR 
are being processed. 


If personal data of the data subject are being processed, we shall provide the data subject with the 
following information in a concise, transparent, intelligible and easily accessible form, using clear and 
plain language, in writing or by other (including electronic) means: 


(a) the purposes of the processing; 


(b) the categories of personal data concerned (for example, contact details, reservation details 
and details of communications activity); 


(c) the recipients or categories of recipient to whom the personal data have been or will be 
disclosed, in particular recipients overseas (for example,, US-based service providers); 
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2.3 


2.4 


2.5 


2.6 


3.1 


(d) where possible, the envisaged period for which the personal data will be stored, or, if not 
possible, the criteria used to determine that period; 


(e) the existence of the right to request rectification or erasure of personal data or restriction of 
processing of personal data or to object to such processing; 


(f) the right to lodge a complaint with the Information Commissioner's Office (ICO); 


(g) where the personal data are not collected from the data subject, any available information as 
to their source; 


(h) the existence of automated decision-making and meaningful information about the logic 
involved, as well as the significance and the envisaged consequences of such processing 
for the data subject; and 


(i) where personal data are transferred outside the EU, details of the appropriate safeguards to 
protect the personal data. 


We shall also, unless there is an exemption (see paragraph 9 below), provide the data subject with a 
copy of the personal data processed by us in a commonly used electronic form (unless the data 
subject either did not make the request by electronic means or has specifically requested not to be 
provided with the copy in electronic form) within one month of receipt of the request. If the request is 
complex, or there are a number of requests, we may extend the period for responding by a further two 
months. If we extend the period for responding we shall inform the data subject within one month of 
receipt of the request and explain the reason(s) for the delay. 


Before providing the personal data to the data subject making the SAR, we shall review the personal 
data requested to see if they contain the personal data of other data subjects. If they do, we may 
redact the personal data of those other data subjects prior to providing the data subject with their 
personal data, unless those other data subjects have consented to the disclosure of their personal 
data. 


If the SAR is manifestly unfounded or excessive, for example, because of its repetitive character, we 
may charge a reasonable fee, taking into account the administrative costs of providing the personal 
data, or refuse to act on the request. 


If we are not going to respond to the SAR we shall inform the data subject of the reason(s) for not 
taking action and of the possibility of lodging a complaint with the ICO. 


Responding to requests to rectify personal data 


Data subjects have the right to have their inaccurate personal data rectified. Rectification can include 
having incomplete personal data completed, for example, by a data subject providing a 
supplementary statement regarding the data. Where such a request is made, we shall, unless there is 
an exemption (see paragraph 9 below), rectify the personal data without undue delay. 
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3.2 We shall also communicate the rectification of the personal data to each recipient to whom the 
personal data have been disclosed (for example, our third party service providers who process the 
data on our behalf), unless this is impossible or involves disproportionate effort. We shall also inform 
the data subject about those recipients if the data subject requests it. 


4. Responding to requests for the erasure of personal data 


4.1 Data subjects have the right, in certain circumstances, to request that we erase their personal data. 
Where such a request is made, we shall, unless there is an exemption (see paragraph 9 below), 
erase the personal data without undue delay if: 


(a) 


(b) 


the personal data are no longer necessary in relation to the purposes for which they were 
collected or otherwise processed; 


the data subject withdraws their consent to the processing of their personal data and 
consent was the basis on which the personal data were processed and there is no other 
legal basis for the processing; 


the data subject objects to the processing of their personal data on the basis of our 
performance of a task carried out in the public interest or in the exercise of official authority 
vested in us, or on the basis of our legitimate interests which override the data subject's 
interests or fundamental rights and freedoms, unless we either can show compelling 
legitimate grounds for the processing which override those interests, rights and freedoms, or 
we are processing the data for the establishment, exercise or defence of legal claims; 


the data subject objects to the processing of their personal data for direct marketing 
purposes; 


the personal data have been unlawfully processed; 


the personal data have to be erased for compliance with a legal obligation to which we are 
subject; or 


the personal data have been collected in relation to the offer of e-commerce or other online 
services. 


4.2 When a data subject makes a request for erasure in the circumstances set out above, we shall, 
unless there is an exemption (see paragraph 4.5 and paragraph 9 below), take the following steps: 


(a) 


(b) 


log the date on which the request was received (to ensure that the relevant timeframe of one 
month for responding to the request is met); 


confirm the identity of the data subject who is the subject of the personal data. We may 
request additional information from the data subject to do this; 


search databases, systems, applications and other places where the personal data which 
are the subject of the request may be held and erase such data within one month of receipt 
of the request. If the request is complex, or there are a number of requests, we may extend 
the period for responding by a further two months. If we extend the period for responding we 
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shall inform the data subject within one month of receipt of the request and explain the 
reason(s) for the delay; 


where we have made the personal data public, we must, taking reasonable steps, including 
technical measures, inform those who are processing the personal data that the data subject 
has requested the erasure by them of any links to, or copies or replications of, those 
personal data; and 


communicate the erasure of the personal data to each recipient to whom the personal data 
have been disclosed unless this is impossible or involves disproportionate effort. We shall 
also inform the data subject about those recipients if the data subject requests it. 


4.3 If the request is manifestly unfounded or excessive, for example, because of its repetitive character, 
we may charge a reasonable fee, taking into account the administrative costs of erasure, or refuse to 
act on the request. 


4.4 If we are not going to respond to the request we shall inform the data subject of the reasons for not 
taking action and of the possibility of lodging a complaint with the ICO. 


4.5 In addition to the exemptions in paragraph 9 below, we can also refuse to erase the personal data to 
the extent processing is necessary: 


(a) 
(b) 


(e) 


for exercising the right of freedom of expression and information; 


for compliance with a legal obligation which requires processing by law and to which we are 
subject or for the performance of a task carried out in the public interest or in the exercise of 
official authority vested in us; 


for reasons of public interest in the area of public health; 


for archiving purposes in the public interest, scientific or historical research purposes, or 
statistical purposes in so far as the right to erasure is likely to render impossible or seriously 
impair the achievement of the objectives of that processing; or 


for the establishment, exercise or defence of legal claims. 


5. Responding to requests to restrict the processing of personal data 


5.1 Data subjects have the right, unless there is an exemption (see paragraph 9 below), to restrict the 
processing of their personal data if: 


(a) 


(b) 


the data subject contests the accuracy of the personal data, for a period to allow us to verify 
the accuracy of the personal data; 


the processing is unlawful and the data subject opposes the erasure of the personal data 
and requests the restriction of their use instead; 


we no longer need the personal data for the purposes we collected them, but they are 
required by the data subject for the establishment, exercise or defence of legal claims; and 


the data subject has objected to the processing, pending verification of whether we have 
legitimate grounds to override the data subject's objection. 
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5.2 


5.3 


5.4 


6.1 


6.2 


6.3 


Where processing has been restricted, we shall only process the personal data (excluding storing 
them): 


(a) with the data subject's consent; 
(b) for the establishment, exercise or defence of legal claims; 
(c) for the protection of the rights of another person; or 


(d) for reasons of important public interest. 
Prior to lifting the restriction, we shall inform the data subject of the lifting of the restriction. 


We shall communicate the restriction of processing of the personal data to each recipient to whom the 
personal data have been disclosed, unless this is impossible or involves disproportionate effort. We 
shall also inform the data subject about those recipients if the data subject requests it. 


Responding to requests for the portability of personal data 


Data subjects have the right, in certain circumstances, to receive their personal data that they have 
provided to us in a structured, commonly used and machine-readable format that they can then 
transmit to another company. Where such a request is made, we shall, unless there is an exemption 
(see paragraph 9 below), provide the personal data without undue delay if: 


(a) the legal basis for the processing of the personal data is consent or pursuant to a contract; 
and 


(b) our processing of those data is automated. 


When a data subject makes a request for portability in the circumstances set out above, we shall take 
the following steps: 


(a) log the date on which the request was received (to ensure that the relevant timeframe of one 
month for responding to the request is met); 


(b) confirm the identity of the data subject who is the subject of the personal data. We may 
request additional information from the data subject to confirm their identity; and 


(c) search databases, systems, applications and other places where the personal data which 
are the subject of the request may be held and provide the data subject with such data (or, 
at the data subject's request, transmit the personal data directly to another company, where 
technically feasible) within one month of receipt of the request. If the request is complex, or 
there are a number of requests, we may extend the period for responding by a further two 
months. If we extend the period for responding we shall inform the data subject within one 
month of receipt of the request and explain the reason(s) for the delay. 


If the request is manifestly unfounded or excessive, for example, because of its repetitive character, 
we may charge a reasonable fee, taking into account the administrative costs of providing or 
transmitting the personal data, or refuse to act on the request. 
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6.4 


7.1 


7.2 


7.3 


7.4 


8.1 


8.2 


If we are not going to respond to the request we shall inform the data subject of the reasons for not 
taking action and of the possibility of lodging a complaint with the ICO. 


Responding to objections to the processing of personal data 


Data subjects have the right to object to the processing of their personal data where such processing 
is on the basis of our performance of a task carried out in the public interest or in the exercise of 
official authority vested in us, or on the basis of our legitimate interests which override the data 
subject's interests or fundamental rights and freedoms, unless we either: 


(a) | can show compelling legitimate grounds for the processing which override those interests, 
rights and freedoms; or 


(b) are processing the personal data for the establishment, exercise or defence of legal claims. 


Data subjects also have the right to object to the processing of their personal data for scientific or 
historical research purposes, or statistical purposes, unless the processing is necessary for the 
performance of a task carried out for reasons of public interest. 


Where such an objection is made, we shall, unless there is an exemption (See paragraph 9 below), no 
longer process a data subject's personal data. 


Where personal data are processed for direct marketing purposes, data subjects have the right to 
object at any time to the processing of their personal data for such marketing. If a data subject makes 
such a request, we shall stop processing the personal data for such purposes. 


Responding to requests not to be subject to automated decision-making 


Data subjects have the right, in certain circumstances, not to be subject to a decision based solely on 
the automated processing of their personal data, if such decision produces legal effects concerning 
them or similarly significantly affects them. Where such a request is made, we shall, unless there is an 
exemption (see paragraph 9 below), no longer make such a decision unless it: 


(a) is necessary for entering into, or the performance of, a contract between us and the data 
subject; 

(b) is authorised by applicable law which lays down suitable measures to safeguard the data 
subject's rights, freedoms and legitimate interests; or 


(c) is based on the data subject's explicit consent. 
If the decision falls within paragraph 8.1(a) or paragraph 8.1(c), we shall implement suitable measures 


to safeguard the data subject's rights, freedoms and legitimate interests, including the right to obtain 
human intervention, to express their point of view and to contest the decision. 
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9. Exemptions 


9.1 Before responding to any request we shall check whether there are any exemptions that apply to the 
personal data that are the subject of the request. Exemptions may apply where it is necessary and 
proportionate not to comply with the requests described above to safeguard: 


national security; 
defence; 
public security; 


the prevention, investigation, detection or prosecution of criminal offences or the execution 
of criminal penalties, including the safeguarding against and the prevention of threats to 
public security; 


other important objectives of general national public interest, in particular an important 
national economic or financial interest, including monetary, budgetary and taxation matters, 
public health and social security; 


the protection of judicial independence and judicial proceedings; 


the prevention, investigation, detection and prosecution of breaches of ethics for regulated 
professions; 


a monitoring, inspection or regulatory function connected, even occasionally, to the exercise 
of official authority in the cases referred to in paragraph 9.1(a) to (e) and paragraph 9.1(g) 
above; 


the protection of the data subject or the rights and freedoms of others; or 


the enforcement of civil law claims. 
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